CN103973676A - Cloud computing safety protection system and method based on SDN - Google Patents
Cloud computing safety protection system and method based on SDN Download PDFInfo
- Publication number
- CN103973676A CN103973676A CN201410160049.3A CN201410160049A CN103973676A CN 103973676 A CN103973676 A CN 103973676A CN 201410160049 A CN201410160049 A CN 201410160049A CN 103973676 A CN103973676 A CN 103973676A
- Authority
- CN
- China
- Prior art keywords
- module
- virtual
- virtual machine
- security
- sdn
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 19
- 238000012544 monitoring process Methods 0.000 claims abstract description 107
- 238000013508 migration Methods 0.000 claims abstract description 43
- 230000005012 migration Effects 0.000 claims abstract description 43
- 230000008859 change Effects 0.000 claims abstract description 41
- 238000012217 deletion Methods 0.000 claims abstract description 30
- 230000037430 deletion Effects 0.000 claims abstract description 30
- 238000007792 addition Methods 0.000 claims abstract description 24
- 230000007613 environmental effect Effects 0.000 claims description 29
- 238000004458 analytical method Methods 0.000 claims description 26
- 238000007726 management method Methods 0.000 claims description 25
- 238000012550 audit Methods 0.000 claims description 19
- 238000004891 communication Methods 0.000 claims description 16
- 230000001360 synchronised effect Effects 0.000 claims description 10
- 238000001514 detection method Methods 0.000 claims description 9
- 230000005540 biological transmission Effects 0.000 claims description 8
- 230000010365 information processing Effects 0.000 claims description 6
- 238000002360 preparation method Methods 0.000 claims description 6
- 238000004364 calculation method Methods 0.000 claims description 5
- 238000011084 recovery Methods 0.000 claims description 5
- 230000000694 effects Effects 0.000 claims description 4
- 239000002699 waste material Substances 0.000 claims description 4
- 239000000284 extract Substances 0.000 claims description 3
- 238000010586 diagram Methods 0.000 description 5
- 238000005516 engineering process Methods 0.000 description 5
- 230000002159 abnormal effect Effects 0.000 description 3
- 238000010276 construction Methods 0.000 description 2
- 230000004044 response Effects 0.000 description 2
- 241001269238 Data Species 0.000 description 1
- 238000013459 approach Methods 0.000 description 1
- 238000012098 association analyses Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000000903 blocking effect Effects 0.000 description 1
- 238000013481 data capture Methods 0.000 description 1
- 230000007812 deficiency Effects 0.000 description 1
- 238000002716 delivery method Methods 0.000 description 1
- 230000002349 favourable effect Effects 0.000 description 1
- 238000007689 inspection Methods 0.000 description 1
- 238000009434 installation Methods 0.000 description 1
- 230000009545 invasion Effects 0.000 description 1
- 230000002045 lasting effect Effects 0.000 description 1
- 230000008569 process Effects 0.000 description 1
- 230000000246 remedial effect Effects 0.000 description 1
- 238000012954 risk control Methods 0.000 description 1
- 238000005070 sampling Methods 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a cloud computing safety protection system based on an SDN. The system is composed of a controller cluster control module, an environment monitoring module and a cluster basic function guarantee module. The controller cluster control module is the core of the whole system and acquires the change situations such as addition and deletion of switches, and addition and deletion of terminals of a current network and the change situations such as addition, deletion and migration of virtual machines in a cloud computing environment according to information fed back by the environment monitoring module, virtual switches supporting the SDN and virtual platform management interfaces supporting the SDN are adopted in the environment monitoring module, and changes, caused by migration, addition and deletion of the virtual machines and other service flow changes, of safety requirements are automatically recognized under the condition that normal service operation is not affected. The cluster basic function guarantee module conducts coordinated management on multiple controllers in the cloud environment. The invention further discloses a cloud computing safety protection method based on the SDN. According to the system and the method, customizable safety protection services can be flexibly and quickly provided according to requirements in the cloud environment.
Description
Technical field
The present invention relates to network security technology field, relate in particular to a kind of cloud computing safety system and method based on SDN.
Background technology
The numerous industries of China have all been carried out large-scale input in cloud computing at present, but cloud computing construction is still in the junior stage mostly.Some operators, strong business unit and large-scale government information center, tentatively build up infrastructure through construction in a few years and served (IaaS) cloud, a lot of units are progressively transplanted to non-core business on cloud platform, and the transfer of core business is because of concern of data center with cloud platform suffers data leak or cause service disconnection to be carried out slowly.This is wherein due to the introducing of Intel Virtualization Technology, break the dividing mode of traditional network boundary, virtual machine number change also requires security protection to adapt with it rapidly soon accordingly in addition, and these make traditional safe practice means cannot accomplish effective security protection.Therefore for adopting the government and the enterprise customer that build IT environment based on virtualized cloud platform architecture; fail safe and compliance are still the primary factor that they need to consider; user needs a set of complete safety approach to provide lasting protection for virtual and physical environment, and meets the needs that its compliance checks.
Application number is that 201310539052.1 application for a patent for invention relates to a kind of self-defined network security enforcement method of software, system and controller, belongs to network technology security fields.Its a kind of disclosed software defined network security implementation method, comprising: be deployed in the real-time Sampling network state information of security kernel module in controller network operating system (NOS); Secure Application, according to network state information, is analyzed network safe state, when network security threats detected, generates corresponding security strategy; The security strategy that described security kernel module generates described Secure Application converts stream list item rule to, installs or be updated to datalink layer switch.The invention also discloses another two kinds of software defined network security implementation methods, a kind of software defined network security implementation system and controller.This technical scheme solves the safety problem that software defined network faces effectively.
This Technical Reference has utilized the three layer model of SDN; emphasis is set up a network operating system based on controller; at automatic recognition network safe condition, generation strategy change into stream table and be issued to physical switches or the virtual switch of supporting SDN automatically, with the protection current network of real-time intelligent.
But this technology faces object of protection to be changed fast; increase as unexpected in virtual machine or virtual machine move to the situations such as the data center in strange land in enormous quantities; protect pressure and become large; be not enough to tackle safeguard protection demand, may occur that controller network operating system cannot follow the trail of protection virtual machine and maybe cannot provide the situation of security protection for the virtual machine increasing sharply.
Current numerous manufacturer has all released the SVM(secure virtual device products of oneself).SVM has rapid deployment, and favorable expandability provides the ability of service as required flexibly.
The for example Deep of Trend Micro Security virtual unit: implement by force security strategy with transparent mode and act on behalf of Malware protection, IDS/IPS, integrality monitoring, web application protection, application program controlling and firewall protection to carry out nothing on VMware vSphere virtual machine; if needed, can be used in conjunction with and carry out daily record inspection and degree of depth defence with DeepSecurity client.
For example Vyatta can provide a business security equipment, for the cloud framework that comprises of each network class provides equipment.The product line of Vyatta comprises Vyatta virtual network device.Vyatta is at virtual unit VMware, and XEN, works in the virtual machine environment of XenServer.Virtual secure equipment comprises fire compartment wall, IPSec and the VPN based on SSL, and intrusion detection, filters, dynamic routing and the NAT based on router, the services such as DHCP, this is all the preparation for IPv6.
Some provides service in the mode of virtual machine to client these secure virtual devices, and some is combined and provides service to client with virtual platform.They fast installation and deployment on applicable virtual platform, and according to the requirement in mster-control centre, in main frame deploy or close.But when these flows such as the flow of these virtual devices in the time accurately following the trail of flow between virtual machine, the designated user of flowing through (as the user of IP or MAC Address etc.) flow, virtual machine (vm) migration, can not efficiently complete finishing the work.
Wherein provide the additions and deletions of virtual device of service mostly by manually completing to client in the mode of virtual machine, if variation sharply occurs the virtual machine quantity in cloud environment, probably have little time to deal with the demand for security changing in cloud computing.
Summary of the invention
The present invention is in order to solve in prior art the shortcoming of safeguard protection or deficiency in cloud computing; adopt a kind of scheme of the cloud computing method for security protection based on SDN, thereby realized the object that customizable safeguard protection service is provided fast flexibly as required in cloud environment.
A kind of cloud computing safety system based on SDN provided by the invention, its virtual switch and virtual platform management interface based on supporting SDN, in the situation that not affecting regular traffic work, automatically identify as virtual machine (vm) migration, virtual machine additions and deletions, other Business Stream variations etc. and the variation of the demand for security that causes, formulate new security strategy, and on the each main frame in the various places of cloud computing center, dispose fast or close required secure virtual device as required, for example IDS, audit series products, vulnerability scanning, safety management platform, and upgrade security strategy to the virtual switch of supporting SDN, can effectively protect in real time the safety of cloud computing center and save system resource, this system specifically comprises with lower module:
This system is made up of controller cluster control module, environmental monitoring module and cluster basic function assurance module.
Controller cluster control module is the key core of whole system, and it obtains current network as situations of change such as virtual machine additions and deletions, migrations in the situations of change such as switch additions and deletions, terminal additions and deletions and cloud computing environment according to environmental monitoring module feedack; It comprises security decision module, SDN controller cluster control module and SVM controller cluster control module.
Security decision module is carried out innovation, change and the deletion of security strategy according to the environmental information of obtaining, specifically comprise security strategy acquisition module, security policy analysis module, security strategy Executive Module, the environmental information that the analysis of security strategy acquisition module is obtained from environmental monitoring module, and draw corresponding parameter and pass to security policy analysis module according to algorithm; Then security policy analysis module is obtained the change conditions of virtual machine, network and business according to above-mentioned parameter, and exports result to security strategy Executive Module; Last security strategy Executive Module is formulated new flow security strategy and the required variation requirement of virtual secure device, and notice SDN controller cluster control module and SVM controller cluster control module are specifically carried out.
SDN controller cluster control module is responsible for the execution to network traffics rule, comprises that stream table generation module, stream table issue module, switch is shared control module, exchange interface communication module, virtual switch variation module; Stream table generation module requires to generate according to the flow security strategy of security decision module transmission and the variation of virtual secure device the stream table that needs change, then virtual switch variation module notifies in respective host the virtual switch that generates/delete in new virtual switch or respective host to generate/delete port or generation/delete interface as required, and finally stream table issues stream table sends to appointment by module virtual switch and sentences and upgrade stream table rule.
SVM controller cluster control module has been responsible for the variation work of virtual secure device on main frame, comprises virtual machine creating deployment module, virtual machine interrupt module, virtual machine closing module and virtual machine synchronous migration module; SVM controller cluster control module receives the virtual secure device variation requirement that security decision module sends, and selects corresponding module and SDN controller cluster control module in above-mentioned four modules to coordinate to increase, ended, copy the requirement of secure virtual device in given host.
Environmental monitoring module use support SDN virtual switch and and virtual platform management interface, the variation of the demand for security that automatically identification causes as virtual machine (vm) migration, virtual machine additions and deletions, other Business Stream variations etc. in the situation that not affecting regular traffic work; The basic function that environmental monitoring module provides based on cluster basic function assurance module, obtains the information that network state changes and virtual machine situation changes, and reflects to controller cluster control module; Environmental monitoring module comprises network status monitoring module, virtual machine (vm) migration monitoring module, virtual machine state monitoring module, resources of virtual machine variation monitoring module, wherein, network status monitoring module is observed the network environment in cloud environment, pushed information notification controller cluster control module in the time of exception of network traffic; Virtual machine (vm) migration monitoring module, virtual machine state monitoring module, resources of virtual machine variation monitoring module are all the monitoring states to virtual machine in cloud environment and will after the information processing of the state variation of obtaining, be sent to controller cluster control module.
Cluster basic function assurance module is coordinated and managed the multi-controller in cloud environment, comprises state distribution/synchronization module, network communication module, distributed storage management module, fault recovery module, redundancy backup module; The basis of whole system work, guarantee whole control cluster can be in cloud environment by all security policy synchronization, obtain all real-time safe conditions, with safe and reliable mode executable operations.
In addition, the present invention also provides a kind of cloud computing method for security protection based on SDN, the stream table work that the method issues according to master control platform by the virtual switch on main frame in its cloud computing is to ensure safety, and the port flow of required monitoring is forwarded on the virtual secure device SVM of appointment, and by suspicious traffic forwarding to master control platform, and master control platform is according to supporting the virtual switch of SDN and the security context situation of change of virtual platform interface feedback to formulate security protection demand, issue stream table to the relevant virtual switch on each main frame, and adjust the secure virtual device of each main frame by interface, for example IDS intrusion detection, security audit, SOC safety management platform, the increase of vulnerability scanning etc. and deletion, wherein the virtual bridge of the each main frame in cloud computing has replaced to and has supported the virtual switch of SDN to meet the requirement of SDN network, the idiographic flow of the method is:
S1, system initialization, master control platform obtains virtual machine situation on current main frame and the resource service condition of main frame by the interface of the each main frame in cloud computing, and formulate flow security strategy and the requirement of virtual secure device generation, notice SDN controller cluster control module and SVM controller cluster control module are specifically carried out.
S2, network status monitoring module are carried out information work by the virtual switch of the support SDN on each main frame of cloud computing, in the time that the stream of supporting the virtual switch of SDN to receive cannot meet stream table rule, virtual switch extracts the key message of this data flow, and after being become to set form, finish message sends to security decision module and the SDN controller of controller cluster control module, to reflect the network traffic conditions of current variation.
S3, virtual machine (vm) migration monitoring module by with main frame on the interface of virtual platform monitor the activity of virtual machine (vm) migration, be specially, virtual machine (vm) migration monitoring module obtains notice in the time that virtual machine preparation is moved by this interface, and obtain corresponding information, as the network host position of moving into, former IP address of moving out, corresponding security strategy etc., last virtual machine (vm) migration monitoring module becomes set form to feed back to the security decision module of controller cluster control module finish message.
S4, virtual machine state monitoring module, resources of virtual machine variation monitoring module are all the monitoring states to virtual machine in cloud environment and will after the information processing of the state variation of obtaining, be sent to controller cluster control module; The monitoring state of virtual machine state monitoring module to the virtual machine moving, the variation of the shared Internet resources of monitoring virtual machine, computational resource and storage; Resources of virtual machine variation monitoring module is closed virtual machine and the situation of interrupting is monitored; When being organized into set form after virtual machine state monitoring module and resources of virtual machine variation monitoring module obtaining information and feeding back to the security decision module of controller cluster control module.
The environmental information of the variation of the current environment that the security strategy acquisition module analysis of the security decision module of s5, controller cluster control module is obtained from step s2 to s4, and draw security threat level and the safety protection range of current environment according to algorithm, and change into corresponding parameter and pass to security policy analysis module; Security policy analysis module is processed regulation according to parameter according to the security strategy of system default and is generated the security strategy that needs execution; Security strategy comprises the flow transmission rule that in network, each node need to be observed and on which platform main frame, needs to set up the secure virtual device of what type of how much quantity, and on main frame, needs the virtual switch project of variation; Then, security policy analysis module exports result to security strategy Executive Module, and last security strategy Executive Module notice SDN controller cluster control module and SVM controller cluster control module are specifically carried out these security decisions.
The flow security strategy that the virtual switch variation module of s6, SDN controller cluster control module sends according to step s5 security decision module and the variation of virtual secure device require judgement to need the virtual switch on the main frame of increase/change/delete, and then notify in respective host to generate/change/delete generate/change of virtual switch in new virtual switch or respective host/delete port or generation/delete interface.
S7, SDN controller cluster control module call stream table generation module according to the notice of step s5 security strategy Executive Module and generate and need newly-increased/stream table of upgrading/deleting, and then stream table issues the virtual switch that stream table sends to appointment by module and sentences the stream table rule of upgrading on it.
S8, SVM controller cluster control module is according to the information of step s5 security strategy Executive Module notice, complete the variation work of virtual secure device on main frame, comprise virtual machine creating deployment module, virtual machine interrupt module, virtual machine closing module and virtual machine synchronous migration module, SVM controller cluster control module receives the virtual secure device variation requirement that security decision module sends, select in these four modules corresponding module and SDN controller cluster control module to coordinate to increase in given host, end, copy the requirement of secure virtual device, like this in the time that the virtual machine on main frame increases or delete, main frame can provide the safety assurance ability matching with it, and prevent the waste of resource, when virtual machine moves between different main frames in addition, also can ensure that original security strategy can be continual with virtual machine (vm) migration.
The virtual switch variation module of s9, last SDN controller cluster control module checks the virtual secure device and the network portion that in network, change again, and convection current table is revised.
The beneficial effect that technical solution of the present invention is brought: the present invention can successfully manage that the virtual machine protected in cloud computing environment increases suddenly or virtual machine moves to the vertiginous situation of safeguard protection demand such as data center in strange land in enormous quantities.Master control platform is by supporting the virtual switch of SDN and the interface of virtual platform; the variation of identification demand for security automatically in the situation that not affecting regular traffic work; on the each main frame in the various places of cloud computing center, dispose fast or close virtual device, can effectively protect the safety of network environment and virtual machine wherein in cloud computing center.
Brief description of the drawings
In order to be illustrated more clearly in the embodiment of the present invention or technical scheme of the prior art, to the accompanying drawing of required use in embodiment or description of the Prior Art be briefly described below, apparently, accompanying drawing in the following describes is only some embodiments of the present invention, for those of ordinary skill in the art, do not paying under the prerequisite of creative work, can also obtain according to these accompanying drawings other accompanying drawing.
Fig. 1 is the functional block diagram of system of the present invention;
Fig. 2 is the network topological diagram of system of the present invention;
Fig. 3 is the physical structure schematic diagram of system of the present invention.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the present invention, the technical scheme in the embodiment of the present invention is clearly and completely described, obviously, described embodiment is only the present invention's part embodiment, instead of whole embodiment.Based on the embodiment in the present invention, those of ordinary skill in the art, not making the every other embodiment obtaining under creative work prerequisite, belong to the scope of protection of the invention.
The virtual machine evolutions that cloud computing safety system based on SDN and method cause for virtual machine quantity and the virtual machine (vm) migration of dynamic change in cloud computing environment etc. and a feature different in traditional environment, protect virtual machine.Virtual switch and the virtual platform management interface of this method and system based on supporting SDN, in the situation that not affecting regular traffic work, automatically identify as virtual machine (vm) migration, virtual machine additions and deletions, other Business Stream variations etc. and the variation of the demand for security that causes, formulate new security strategy, and on the each main frame in the various places of cloud computing center, dispose fast or close required secure virtual device as required, for example IDS, audit series products, vulnerability scanning, safety management platform etc., and upgrade security strategy to the virtual switch of supporting SDN, can effectively protect in real time the safety of cloud computing center and save system resource.
A kind of system function module figure of the cloud computing method for security protection based on SDN is as shown in Figure 1:
This system is made up of controller cluster control module, environmental monitoring module and cluster basic function assurance module.
Controller cluster control module is the key core of whole system, and it obtains current network as situations of change such as virtual machine additions and deletions, migrations in the situations of change such as switch additions and deletions, terminal additions and deletions and cloud computing environment according to environmental monitoring module feedack.Recommend the mode of controller use outband management, can in the situation that not affecting regular traffic work, obtain like this information of environmental change.Controller is according to the safeguard protection rank of setting afterwards, and the variation of identification demand for security is also adjusted security strategy automatically, and issues these security strategies of execution.The execution of security strategy comprises two kinds, and a kind of is the execution of network traffics rule, and SDN controller issues stream and shows to virtual switch; Another kind is the adjustment of SVM, and SVM controller notice main frame increases or closed safe virtual device.
Controller cluster control module comprises security decision module, SDN controller cluster control module and SVM controller cluster control module.Security decision module is carried out innovation, change and the deletion of security strategy according to the environmental information of obtaining, and specifically comprises security strategy acquisition module, security policy analysis module, security strategy Executive Module.The environmental information that the analysis of security strategy acquisition module is obtained from environmental monitoring module, and draw corresponding parameter and pass to security policy analysis module according to algorithm.Then security policy analysis module is obtained the change conditions of virtual machine, network and business according to above-mentioned parameter, and exports result to security strategy Executive Module.Last security strategy Executive Module is formulated new flow security strategy and the required variation requirement of virtual secure device, and notice SDN controller cluster control module and SVM controller cluster control module are specifically carried out.
SDN controller cluster control module is responsible for the execution to network traffics rule, comprises that stream table generation module, stream table issue module, switch is shared control module, exchange interface communication module, virtual switch variation module.Stream table generation module requires to generate according to the flow security strategy of security decision module transmission and the variation of virtual secure device the stream table that needs change, then virtual switch variation module notifies in respective host the virtual switch that generates/delete in new virtual switch or respective host to generate/delete port or generation/delete interface as required, and finally stream table issues stream table sends to appointment by module virtual switch and sentences and upgrade stream table rule.Wherein to share control module and exchange interface communication module be above-mentioned service security, the guarantee that completes efficiently to switch.
SVM controller cluster control module has been responsible for the variation work of virtual secure device on main frame, comprises virtual machine creating deployment module, virtual machine interrupt module, virtual machine closing module and virtual machine synchronous migration module.SVM controller cluster control module receives the virtual secure device variation requirement that security decision module sends, and selects corresponding module and SDN controller cluster control module in above-mentioned four modules to coordinate to increase, ended, copy the requirement of secure virtual device in given host.In the time that the virtual machine on main frame increases or delete, main frame can provide the safety assurance ability matching with it, and prevents the waste of resource like this; When virtual machine moves between different main frames in addition, also can ensure that original security strategy can be continual with virtual machine (vm) migration.
Environmental monitoring module use support SDN virtual switch and and virtual platform management interface, the variation of the demand for security that automatically identification causes as virtual machine (vm) migration, virtual machine additions and deletions, other Business Stream variations etc. in the situation that not affecting regular traffic work.The basic function that environmental monitoring module provides based on cluster basic function assurance module, obtains the information that network state changes and virtual machine situation changes, and reflects to controller cluster control module.Environmental monitoring module comprises network status monitoring module, virtual machine (vm) migration monitoring module, virtual machine state monitoring module, resources of virtual machine variation monitoring module.
Network status monitoring module is observed the network environment in cloud environment, pushed information notification controller cluster control module in the time of exception of network traffic.Be specially, the virtual switch of network status monitoring module based on supporting SDN, security decision module and SDN controller to controller cluster control module in the time that the stream of supporting the virtual switch of SDN to receive cannot meet secure flows table rule send the information of extracting, to reflect the network traffic conditions of current variation.
Virtual machine (vm) migration monitoring module, virtual machine state monitoring module, resources of virtual machine variation monitoring module are all the monitoring states to virtual machine in cloud environment and will after the information processing of the state variation of obtaining, be sent to controller cluster control module.Wherein virtual machine (vm) migration monitoring module obtains corresponding information by the interface of main frame virtual machine platform in the time that virtual machine preparation is moved, as the network host position of moving into, former IP address of moving out, corresponding security strategy etc., and feed back to controller cluster control module.The monitoring state of virtual machine state monitoring module to the virtual machine moving, the variation of the shared Internet resources of monitoring virtual machine, computational resource and storage.Resources of virtual machine variation monitoring module is closed virtual machine and the situation of interrupting is monitored.
Cluster basic function assurance module is coordinated and managed the multi-controller in cloud environment, comprises state distribution/synchronization module, network communication module, distributed storage management module, fault recovery module, redundancy backup module; The basis of whole system work, guarantee whole control cluster can be in cloud environment by all security policy synchronization, obtain all real-time safe conditions, with safe and reliable mode executable operations.
Wherein point out especially, cluster basic function assurance module is used southbound interface agreement and is supported that the virtual switch of SDN carries out secure communication by network communication module, uses other modules to realize the synchronous of stream table between multi-controller; Also use the VMM/Hypervisor of network communication module and main frame to communicate, in the mode of safety encipher, the instruction of additions and deletions secure virtual device is transmitted and carried out simultaneously.State distribution/synchronization module is to guarantee that the instruction in mster-control centre can arrive the VMM/Hypervisor of virtual switch or main frame in time reliably, and implementation strategy instruction is synchronous.Redundancy backup module is carried out redundancy backup to the controller in each region, in case stop machine device interrupts suddenly the appearance of the information dropout situation occurring.Fault recovery module, after controller, virtual switch, cloud main frame break down, is recovered the measure of associated safety protection fast.
A kind of cloud computing method for security protection based on SDN; the stream table work that virtual switch in its cloud computing on main frame issues according to master control platform is to ensure safety; and the virtual secure device SVM that the port flow of required monitoring is forwarded to appointment is upper, and by suspicious traffic forwarding to master control platform.And master control platform is according to supporting the virtual switch of SDN and the security context situation of change of virtual platform interface feedback to formulate security protection demand, issue stream table to the relevant virtual switch on each main frame, and adjust the secure virtual device of each main frame by interface, increase and the deletion of such as IDS intrusion detection, security audit, SOC safety management platform, vulnerability scanning etc.Wherein the virtual bridge of the each main frame in cloud computing has replaced to and has supported the virtual switch of SDN to meet the requirement of SDN network.
Concrete flow process is as follows:
1, system initialization, master control platform obtains virtual machine situation on current main frame and the resource service condition of main frame by the interface of the each main frame in cloud computing, and formulate flow security strategy and the requirement of virtual secure device generation, notice SDN controller cluster control module and SVM controller cluster control module are specifically carried out.Master control platform issues the basic stream of being made by safety regulation to the virtual switch of the support SDN of the each main frame in cloud computing and shows, by interface at the required secure virtual device of respective host deploy.
2, network status monitoring module is carried out information work by the virtual switch of the support SDN on each main frame of cloud computing.In the time that the stream of supporting the virtual switch of SDN to receive cannot meet stream table rule, virtual switch extracts the key message of this data flow, and after being become to set form, finish message sends to security decision module and the SDN controller of controller cluster control module, to reflect the network traffic conditions of current variation.
3, virtual machine (vm) migration monitoring module by with main frame on the interface of virtual platform monitor the activity of virtual machine (vm) migration.Be specially, virtual machine (vm) migration monitoring module obtains notice by this interface in the time that virtual machine preparation is moved, and obtains corresponding information, as the network host position of moving into, former IP address of moving out, corresponding security strategy etc.Last virtual machine (vm) migration monitoring module becomes set form to feed back to the security decision module of controller cluster control module finish message.
4, virtual machine state monitoring module, resources of virtual machine variation monitoring module are all the monitoring states to virtual machine in cloud environment and will after the information processing of the state variation of obtaining, be sent to controller cluster control module.The monitoring state of virtual machine state monitoring module to the virtual machine moving, the variation of the shared Internet resources of monitoring virtual machine, computational resource and storage.Resources of virtual machine variation monitoring module is closed virtual machine and the situation of interrupting is monitored.When being organized into set form after virtual machine state monitoring module and resources of virtual machine variation monitoring module obtaining information and feeding back to the security decision module of controller cluster control module.
The environmental information of the variation of the current environment that 5, the security strategy acquisition module analysis of the security decision module of controller cluster control module is obtained from above 2 to 4 steps; and draw security threat level and the safety protection range of current environment according to algorithm, and change into corresponding parameter and pass to security policy analysis module.Security policy analysis module is processed regulation according to parameter according to the security strategy of system default and is generated the security strategy that needs execution.Security strategy comprises the flow transmission rule that in network, each node need to be observed and on which platform main frame, needs to set up the secure virtual device of what type of how much quantity, and on main frame, needs the virtual switch project of variation.Then, security policy analysis module exports result to security strategy Executive Module.Last security strategy Executive Module notice SDN controller cluster control module and SVM controller cluster control module are specifically carried out these security decisions.
6, the flow security strategy that the virtual switch of SDN controller cluster control module variation module sends according to the 5th step security decision module and the variation of virtual secure device require judgement to need the virtual switch on the main frame of increase/change/delete, and then notify in respective host to generate/change/delete generate/change of virtual switch in new virtual switch or respective host/delete port or generation/delete interface.
7, SDN controller cluster control module is called stream table generation module according to the notice of the 5th step security strategy Executive Module and is generated and need newly-increased/stream table of upgrading/deleting, and then stream table issues the virtual switch that stream table sends to appointment by module and sentences the stream table rule of upgrading on it.The stream table work that these virtual switches issue according to master control platform to be to ensure safety, and it is upper that the port flow of required monitoring is forwarded to the virtual secure device SVM of appointment, and by suspicious traffic forwarding to master control platform.
8, SVM controller cluster control module is according to the information of the 5th step security strategy Executive Module notice, complete the variation work of virtual secure device on main frame, comprise virtual machine creating deployment module, virtual machine interrupt module, virtual machine closing module and virtual machine synchronous migration module.SVM controller cluster control module receives the virtual secure device variation requirement that security decision module sends, and selects corresponding module and SDN controller cluster control module in these four modules to coordinate to increase, ended, copy the requirement of secure virtual device in given host.In the time that the virtual machine on main frame increases or delete, main frame can provide the safety assurance ability matching with it, and prevents the waste of resource like this; When virtual machine moves between different main frames in addition, also can ensure that original security strategy can be continual with virtual machine (vm) migration.
9, the virtual switch of last SDN controller cluster control module variation module checks the virtual secure device and the network portion that in network, change again, and convection current table is revised.
A kind of cloud computing safety system based on SDN of the present invention can be deployed on physical server or virtual server, also can be deployed on physics personal computer or virtual machine.A cloud computing environment is divided into multiple cloud computing management work groups according to scale, and a cloud computing management work group comprises 500 with interior physical host.Each cloud computing management work group is managed network and secure virtual device SVM wherein by a controller.Wherein, secure virtual device SVM can independently or together with other virtual machines be deployed in cloud computing platform, utilizes the powerful computing capability of cloud computing platform to provide comprehensive, high performance network security protection for the system based on virtual machine operation in cloud platform.The network topological diagram of system as shown in Figure 2.Wherein solid line represents to control network, and dotted line represents business network.
As shown in Figure 3, wherein solid line represents to control network to the physical structure schematic diagram of system, and dotted line represents business network.
Master control platform is the outer transmission of band, does not take the Internet resources in the former environment of cloud computing, and has good fail safe.Master control platform and each main frame direct communication, wherein support the switch direct communication of SDN on SDN control module and main frame, adjust network flow to and according to security strategy additions and deletions stream table; The VMM/hypervisor direct communication of SVM control module and main frame, according to security needs additions and deletions secure virtual device SVM.
The variation of the master control land identification demand for security of native system is also adjusted security strategy, and issue the adjustment of carrying out network traffics rule and SVM automatically, issues stream show to virtual switch at SDN controller, adjusts SVM by virtual platform interface.Secure virtual device SVM has replaced the product delivery method of original hardware device, more quick, efficient, and cost-saving; Contain at present most safety product on market, comprised IDS intrusion detection, security audit, SOC safety management platform, vulnerability scanning etc.Native system provides interface, allows to use third-party safety device.
1, efficient integrated intruding detection system
The virtual device of intrusion detection and fire compartment wall link comprehensively, and monitor network transmission in real time, detects suspicious actions automatically, analyzes from network-external and inner invasion signal.Before virtual machine is endangered, give a warning, make a response to attacking in real time, and remedial measure is provided, farthest for network system provides safety guarantee.
2, compliance audit
IT manager, compliance audit personnel can utilize the virtual device of audit, define and are reported in and in its environment, carry out the specific requirement (comprising enterprise, group's regulation or Correspondence policy) that compliance operation should be satisfied.Cloud platform management person can check the overall compliance state of environment inside fast, and determines that every virtual machine triggers the concrete condition of alarm in violation of rules and regulations.The pattern of virtual device based on " analysis → monitoring of data capture → application layer data, audit and response " provides every safety function; make its audit function greatly be better than the auditing system based on log collection; by collecting a series of extremely abundant Audit datas, in conjunction with fine-grained audit regulation, to meet the special protection demand to sensitive information.This continuous monitoring can be guaranteed will be by sifting in the time of the configuration of Hypervisor/VMM and access authority appearance variation, thereby reduced, virtual platform keeper makes mistake or unsuitable operation.
3, powerful comprehensive safety management
The virtual device of SOC, taking business and service as core, carries out multiple safety device, security strategy, security incident the real-time dynamic management of Unified Set Chinese style, improves efficiency of operation, promotes intelligent level of risk management.See through and collect various network information, comprise SNMP, NetFlow, obtain the most complete network information, association analysis abnormal flow, locates fast abnormal and gets rid of.System is by the benchmark analysis based on flow for a long time, once occur extremely, trigger in time early warning, occur that in problem the initial stage just investigates, help the abnormal flow in keeper's discovering network also to do rationally to control, built intelligentized, integrated, a three-dimensional protection system linking.
4, scan as required leak
Compared with the Passive Defence means such as intruding detection system, vulnerability scanning is a kind of precautionary measures of active, can effectively avoid the attack of hacker for virtual machine, prevents trouble before it happens.Vulnerability scanning virtual device can detect the fragility such as the guest virtual machine vulnerability scanning of main frame internal-external, Web vulnerability scanning, weak password scanning, supports IP address field instead in batches to look into domain name, Intranet penetrates scanning, can utilize leak demonstration etc.Scanning can be provided as required, the scan plan that customization single, cycle carry out, timing is carried out vulnerability scanning to virtual machine.
5, fine-grained database audit
The virtual device of database audit can be protected the Database Systems of industry main flow, prevents from being subject to the infringement of privilege abuse, known bugs attack, human error etc.When user and database carry out when mutual, the virtual device of database audit can be automatically according to the risk control strategy pre-seting, in conjunction with the real-time monitor message to database activity, carry out feature detection and audit regulation and detect, the operation of the attack of any trial or violation audit regulation all can be detected and real-time blocking or alarm.
It is also conceivable that and utilize the virtual secure device SVM of being combined with virtual platform for the present invention.If business software need to be linked up with virtual platform manufacturer mostly, obtain high operating right.But the difficulty of in fact implementing is larger.Or in open source software, find applicable interface and complete, but need to consider the safety problem that this high rights interface is brought.
A kind of cloud computing safety system and the method based on the SDN above embodiment of the present invention being provided is described in detail, applied specific case herein principle of the present invention and execution mode are set forth, the explanation of above embodiment is just for helping to understand method of the present invention and core concept thereof; , for one of ordinary skill in the art, according to thought of the present invention, all will change in specific embodiments and applications, in sum, this description should not be construed as limitation of the present invention meanwhile.
Claims (10)
1. the cloud computing safety system based on SDN, it is characterized in that, virtual switch and the virtual platform management interface of this system based on supporting SDN, in the situation that not affecting regular traffic work, automatically identify as virtual machine (vm) migration, virtual machine additions and deletions, other Business Stream variations etc. and the variation of the demand for security that causes, formulate new security strategy, and on the each main frame in the various places of cloud computing center, dispose fast or close required secure virtual device as required, and upgrade security strategy to the virtual switch of supporting SDN, can effectively protect in real time the safety of cloud computing center and save system resource, this system specifically comprises with lower module:
This system is made up of controller cluster control module, environmental monitoring module and cluster basic function assurance module;
Controller cluster control module is the key core of whole system, and it obtains current network as situations of change such as virtual machine additions and deletions, migrations in the situations of change such as switch additions and deletions, terminal additions and deletions and cloud computing environment according to environmental monitoring module feedack; It comprises security decision module, SDN controller cluster control module and SVM controller cluster control module;
Security decision module is carried out innovation, change and the deletion of security strategy according to the environmental information of obtaining, specifically comprise security strategy acquisition module, security policy analysis module, security strategy Executive Module, the environmental information that the analysis of security strategy acquisition module is obtained from environmental monitoring module, and draw corresponding parameter and pass to security policy analysis module according to algorithm; Then security policy analysis module is obtained the change conditions of virtual machine, network and business according to above-mentioned parameter, and exports result to security strategy Executive Module; Last security strategy Executive Module is formulated new flow security strategy and the required variation requirement of virtual secure device, and notice SDN controller cluster control module and SVM controller cluster control module are specifically carried out;
SDN controller cluster control module is responsible for the execution to network traffics rule, comprises that stream table generation module, stream table issue module, switch is shared control module, exchange interface communication module, virtual switch variation module; Stream table generation module requires to generate according to the flow security strategy of security decision module transmission and the variation of virtual secure device the stream table that needs change, then virtual switch variation module notifies in respective host the virtual switch that generates/delete in new virtual switch or respective host to generate/delete port or generation/delete interface as required, and finally stream table issues stream table sends to appointment by module virtual switch and sentences and upgrade stream table rule;
SVM controller cluster control module has been responsible for the variation work of virtual secure device on main frame, comprises virtual machine creating deployment module, virtual machine interrupt module, virtual machine closing module and virtual machine synchronous migration module; SVM controller cluster control module receives the virtual secure device variation requirement that security decision module sends, and selects corresponding module and SDN controller cluster control module in above-mentioned four modules to coordinate to increase, ended, copy the requirement of secure virtual device in given host;
Environmental monitoring module use support SDN virtual switch and and virtual platform management interface, the variation of the demand for security that automatically identification causes as virtual machine (vm) migration, virtual machine additions and deletions, other Business Stream variations etc. in the situation that not affecting regular traffic work; The basic function that environmental monitoring module provides based on cluster basic function assurance module, obtains the information that network state changes and virtual machine situation changes, and reflects to controller cluster control module; Environmental monitoring module comprises network status monitoring module, virtual machine (vm) migration monitoring module, virtual machine state monitoring module, resources of virtual machine variation monitoring module, wherein, network status monitoring module is observed the network environment in cloud environment, pushed information notification controller cluster control module in the time of exception of network traffic; Virtual machine (vm) migration monitoring module, virtual machine state monitoring module, resources of virtual machine variation monitoring module are all the monitoring states to virtual machine in cloud environment and will after the information processing of the state variation of obtaining, be sent to controller cluster control module;
Cluster basic function assurance module is coordinated and managed the multi-controller in cloud environment, comprises state distribution/synchronization module, network communication module, distributed storage management module, fault recovery module, redundancy backup module; The basis of whole system work, guarantee whole control cluster can be in cloud environment by all security policy synchronization, obtain all real-time safe conditions, with safe and reliable mode executable operations.
2. system according to claim 1, is characterized in that, secure virtual device includes but not limited to IDS, audit series products, vulnerability scanning, safety management platform.
3. system according to claim 1; it is characterized in that; the mode of controller recommendation outband management; can in the situation that not affecting regular traffic work, obtain like this information of environmental change; controller is according to the safeguard protection rank of setting afterwards; the variation of identification demand for security is also adjusted security strategy automatically, and issues these security strategies of execution.
4. according to the system described in claim 1 or 3, it is characterized in that, the execution of security strategy comprises two kinds, and a kind of is the execution of network traffics rule, and SDN controller issues stream and shows to virtual switch; Another kind is the adjustment of SVM, and SVM controller notice main frame increases or closed safe virtual device.
5. system according to claim 1, it is characterized in that, the virtual switch of network status monitoring module based on supporting SDN, security decision module and SDN controller to controller cluster control module in the time that the stream of supporting the virtual switch of SDN to receive cannot meet secure flows table rule send the information of extracting, to reflect the network traffic conditions of current variation.
6. system according to claim 1, it is characterized in that, virtual machine (vm) migration monitoring module obtains corresponding information by the interface of main frame virtual machine platform in the time that virtual machine preparation is moved, the network host position of for example moving into, former IP address of moving out, corresponding security strategy etc., and feed back to controller cluster control module; The monitoring state of virtual machine state monitoring module to the virtual machine moving, the variation of the shared Internet resources of monitoring virtual machine, computational resource and storage; Resources of virtual machine variation monitoring module is closed virtual machine and the situation of interrupting is monitored.
7. system according to claim 1, it is characterized in that, cluster basic function assurance module is used southbound interface agreement and is supported that the virtual switch of SDN carries out secure communication by network communication module, uses other modules to realize the synchronous of stream table between multi-controller; Also use the VMM/Hypervisor of network communication module and main frame to communicate, in the mode of safety encipher, the instruction of additions and deletions secure virtual device is transmitted and carried out simultaneously; State distribution/synchronization module is to guarantee that the instruction in mster-control centre can arrive the VMM/Hypervisor of virtual switch or main frame in time reliably, and implementation strategy instruction is synchronous; Redundancy backup module is carried out redundancy backup to the controller in each region, in case stop machine device interrupts suddenly the appearance of the information dropout situation occurring; Fault recovery module, after controller, virtual switch, cloud main frame break down, is recovered the measure of associated safety protection fast.
8. the cloud computing method for security protection based on SDN, it is characterized in that, the stream table work that the method issues according to master control platform by the virtual switch on main frame in its cloud computing is to ensure safety, and the port flow of required monitoring is forwarded on the virtual secure device SVM of appointment, and by suspicious traffic forwarding to master control platform, and master control platform is according to supporting the virtual switch of SDN and the security context situation of change of virtual platform interface feedback to formulate security protection demand, issue stream table to the relevant virtual switch on each main frame, and adjust the secure virtual device of each main frame by interface, for example IDS intrusion detection, security audit, SOC safety management platform, the increase of vulnerability scanning etc. and deletion, wherein the virtual bridge of the each main frame in cloud computing has replaced to and has supported the virtual switch of SDN to meet the requirement of SDN network, the idiographic flow of the method is:
S1, system initialization, master control platform obtains virtual machine situation on current main frame and the resource service condition of main frame by the interface of the each main frame in cloud computing, and formulate flow security strategy and the requirement of virtual secure device generation, notice SDN controller cluster control module and SVM controller cluster control module are specifically carried out;
S2, network status monitoring module are carried out information work by the virtual switch of the support SDN on each main frame of cloud computing, in the time that the stream of supporting the virtual switch of SDN to receive cannot meet stream table rule, virtual switch extracts the key message of this data flow, and after being become to set form, finish message sends to security decision module and the SDN controller of controller cluster control module, to reflect the network traffic conditions of current variation;
S3, virtual machine (vm) migration monitoring module by with main frame on the interface of virtual platform monitor the activity of virtual machine (vm) migration, be specially, virtual machine (vm) migration monitoring module obtains notice in the time that virtual machine preparation is moved by this interface, and obtain corresponding information, as the network host position of moving into, former IP address of moving out, corresponding security strategy etc., last virtual machine (vm) migration monitoring module becomes set form to feed back to the security decision module of controller cluster control module finish message;
S4, virtual machine state monitoring module, resources of virtual machine variation monitoring module are all the monitoring states to virtual machine in cloud environment and will after the information processing of the state variation of obtaining, be sent to controller cluster control module; The monitoring state of virtual machine state monitoring module to the virtual machine moving, the variation of the shared Internet resources of monitoring virtual machine, computational resource and storage; Resources of virtual machine variation monitoring module is closed virtual machine and the situation of interrupting is monitored; When being organized into set form after virtual machine state monitoring module and resources of virtual machine variation monitoring module obtaining information and feeding back to the security decision module of controller cluster control module;
The environmental information of the variation of the current environment that the security strategy acquisition module analysis of the security decision module of s5, controller cluster control module is obtained from step s2 to s4, and draw security threat level and the safety protection range of current environment according to algorithm, and change into corresponding parameter and pass to security policy analysis module; Security policy analysis module is processed regulation according to parameter according to the security strategy of system default and is generated the security strategy that needs execution; Security strategy comprises the flow transmission rule that in network, each node need to be observed and on which platform main frame, needs to set up the secure virtual device of what type of how much quantity, and on main frame, needs the virtual switch project of variation; Then, security policy analysis module exports result to security strategy Executive Module, and last security strategy Executive Module notice SDN controller cluster control module and SVM controller cluster control module are specifically carried out these security decisions;
The flow security strategy that the virtual switch variation module of s6, SDN controller cluster control module sends according to step s5 security decision module and the variation of virtual secure device require judgement to need the virtual switch on the main frame of increase/change/delete, and then notify in respective host to generate/change/delete generate/change of virtual switch in new virtual switch or respective host/delete port or generation/delete interface;
S7, SDN controller cluster control module call stream table generation module according to the notice of step s5 security strategy Executive Module and generate and need newly-increased/stream table of upgrading/deleting, and then stream table issues the virtual switch that stream table sends to appointment by module and sentences the stream table rule of upgrading on it;
S8, SVM controller cluster control module is according to the information of step s5 security strategy Executive Module notice, complete the variation work of virtual secure device on main frame, comprise virtual machine creating deployment module, virtual machine interrupt module, virtual machine closing module and virtual machine synchronous migration module, SVM controller cluster control module receives the virtual secure device variation requirement that security decision module sends, select in these four modules corresponding module and SDN controller cluster control module to coordinate to increase in given host, end, copy the requirement of secure virtual device, like this in the time that the virtual machine on main frame increases or delete, main frame can provide the safety assurance ability matching with it, and prevent the waste of resource, when virtual machine moves between different main frames in addition, also can ensure that original security strategy can be continual with virtual machine (vm) migration,
The virtual switch variation module of s9, last SDN controller cluster control module checks the virtual secure device and the network portion that in network, change again, and convection current table is revised.
9. method according to claim 8, it is characterized in that, in step s1, master control platform issues the basic stream of being made by safety regulation to the virtual switch of the support SDN of the each main frame in cloud computing and shows, by interface at the required secure virtual device of respective host deploy.
10. method according to claim 8, it is characterized in that, in step s7, the stream table work that virtual switch issues according to master control platform is to ensure safety, and the virtual secure device SVM that the port flow of required monitoring is forwarded to appointment is upper, and by suspicious traffic forwarding to master control platform.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410160049.3A CN103973676B (en) | 2014-04-21 | 2014-04-21 | Cloud computing safety protection system and method based on SDN |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410160049.3A CN103973676B (en) | 2014-04-21 | 2014-04-21 | Cloud computing safety protection system and method based on SDN |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103973676A true CN103973676A (en) | 2014-08-06 |
| CN103973676B CN103973676B (en) | 2017-05-24 |
Family
ID=51242722
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410160049.3A Expired - Fee Related CN103973676B (en) | 2014-04-21 | 2014-04-21 | Cloud computing safety protection system and method based on SDN |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103973676B (en) |
Cited By (47)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104158910A (en) * | 2014-08-29 | 2014-11-19 | 金石易诚(北京)科技有限公司 | Automatic deployment system for cloud Web application |
| CN104243205A (en) * | 2014-09-03 | 2014-12-24 | 杭州华三通信技术有限公司 | Message processing method and device used during virtual switch fault |
| CN104270260A (en) * | 2014-09-19 | 2015-01-07 | 杭州华三通信技术有限公司 | Method and device for elastic expansion of scale of SDN controller cluster |
| CN104407911A (en) * | 2014-10-31 | 2015-03-11 | 杭州华三通信技术有限公司 | Virtual machine migration method and device |
| CN104618379A (en) * | 2015-02-04 | 2015-05-13 | 北京天地互连信息技术有限公司 | IDC service scene-oriented security service arranging method and network structure |
| CN104753951A (en) * | 2015-04-13 | 2015-07-01 | 成都双奥阳科技有限公司 | Network security traffic platform based on software definition |
| CN104852840A (en) * | 2015-05-28 | 2015-08-19 | 杭州华三通信技术有限公司 | Method and device for controlling mutual access between virtual machines |
| CN105049450A (en) * | 2015-08-24 | 2015-11-11 | 北京汉柏科技有限公司 | Cloud security system based on virtual network environment and deployment framework of cloud security system |
| CN105072162A (en) * | 2015-07-21 | 2015-11-18 | 哈尔滨理工大学 | Large-scale network game framework system and method based on SDN and cloud platform |
| CN105262611A (en) * | 2015-09-07 | 2016-01-20 | 中国电子科技网络信息安全有限公司 | Virtual machine policy management device and management method based on open-stack |
| CN105337945A (en) * | 2014-08-12 | 2016-02-17 | 中兴通讯股份有限公司 | Cloud security maintenance processing method and device |
| CN105337952A (en) * | 2014-08-14 | 2016-02-17 | 杭州华三通信技术有限公司 | Method and device used for inhibiting host computer from frequently migrating |
| CN105376246A (en) * | 2015-11-30 | 2016-03-02 | 中国电子科技网络信息安全有限公司 | Adaptive generation management system and method of security strategy based on SDN |
| CN105429974A (en) * | 2015-11-10 | 2016-03-23 | 南京邮电大学 | SDN-oriented intrusion defense system and method |
| CN105592016A (en) * | 2014-10-29 | 2016-05-18 | 国家电网公司 | Virtual machine protection device of power information system in cloud environment |
| CN105681371A (en) * | 2014-11-18 | 2016-06-15 | 中兴通讯股份有限公司 | Synchronization method and device for network device virtual machines |
| CN105959275A (en) * | 2016-04-26 | 2016-09-21 | 北京启明星辰信息安全技术有限公司 | Security integrated machine system |
| CN105991315A (en) * | 2015-02-03 | 2016-10-05 | 华为技术有限公司 | Link protection method applied to SDN (software defined network), switching device and network controller |
| CN106161548A (en) * | 2015-04-15 | 2016-11-23 | 先智云端数据股份有限公司 | Data base, application program and the system of storage safety in software defined network |
| CN106330537A (en) * | 2016-08-22 | 2017-01-11 | 刘昱 | Control plane management apparatus and method for SDN network device |
| CN106911723A (en) * | 2017-04-26 | 2017-06-30 | 北京启明星辰信息安全技术有限公司 | Traffic security processing method and safety virtualization system |
| CN106936609A (en) * | 2015-12-29 | 2017-07-07 | 中兴通讯股份有限公司 | The method and controller of forwarding unit cluster are controlled in a kind of software defined network |
| CN107171979A (en) * | 2017-06-30 | 2017-09-15 | 广州市品高软件股份有限公司 | Vulnerability scanning method and system based on cloud computing and SDN |
| CN107506640A (en) * | 2017-06-28 | 2017-12-22 | 青岛以太科技股份有限公司 | Virtual machine guard system |
| CN107515559A (en) * | 2016-06-17 | 2017-12-26 | 苗玉水 | The execution system of adaptive full-automatic foreign language text cloud computing cluster remote control |
| CN107769961A (en) * | 2017-09-14 | 2018-03-06 | 广州西麦科技股份有限公司 | A kind of SDN controllers cluster and network system |
| CN107786495A (en) * | 2016-08-24 | 2018-03-09 | 北京计算机技术及应用研究所 | Cloud environment network security protection system |
| CN107888438A (en) * | 2016-09-29 | 2018-04-06 | 上海天旦网络科技发展有限公司 | A kind of automatic sensing based on flow table technology and the method and system for adapting to cloud environment change |
| CN108200073A (en) * | 2018-01-12 | 2018-06-22 | 阳光保险集团股份有限公司 | A kind of sensitive data safety system |
| CN108259545A (en) * | 2017-01-13 | 2018-07-06 | 新华三技术有限公司 | Port security strategy method of diffusion and device |
| CN108293009A (en) * | 2015-12-31 | 2018-07-17 | 华为技术有限公司 | Scheduling and the flux monitoring method of a kind of software definition data center and service cluster therein |
| CN109150648A (en) * | 2018-05-30 | 2019-01-04 | 太仓鸿策拓达科技咨询有限公司 | Self-test network safety system |
| CN109196474A (en) * | 2016-05-17 | 2019-01-11 | 微软技术许可有限责任公司 | Distributed operation control in computing system |
| CN109246100A (en) * | 2018-09-07 | 2019-01-18 | 刘洋 | A kind of software defined network safely performs method |
| CN109246152A (en) * | 2018-11-06 | 2019-01-18 | 北京华顺信安科技有限公司 | A kind of a wide range of general vulnerability scanning method and system |
| US20190079789A1 (en) * | 2016-03-18 | 2019-03-14 | Telefonaktiebolaget Lm Ericsson (Publ) | Using nano-services to secure multi-tenant networking in datacenters |
| CN109981493A (en) * | 2019-04-09 | 2019-07-05 | 苏州浪潮智能科技有限公司 | A kind of method and apparatus for configuring virtual machine network |
| WO2019205282A1 (en) * | 2018-04-27 | 2019-10-31 | 广州西麦科技股份有限公司 | Sdn-based network management control method, device, and computer readable storage medium |
| CN111031091A (en) * | 2019-10-30 | 2020-04-17 | 哈尔滨安天科技集团股份有限公司 | Automatic adaptation method and device for cloud platform virtual diversion technology |
| CN111026525A (en) * | 2019-10-30 | 2020-04-17 | 哈尔滨安天科技集团股份有限公司 | Scheduling method and device of cloud platform virtual diversion technology |
| CN111224821A (en) * | 2019-12-31 | 2020-06-02 | 北京山石网科信息技术有限公司 | Security service deployment system, method and device |
| CN111865514A (en) * | 2019-04-26 | 2020-10-30 | 瞻博网络公司 | Control plane isolation for software defined network routing services |
| CN107346262B (en) * | 2017-06-06 | 2020-12-15 | 华为技术有限公司 | Task migration method and controller |
| CN113204774A (en) * | 2021-04-29 | 2021-08-03 | 北京连山科技股份有限公司 | Rapid data security protection algorithm based on multi-cloud environment |
| US11237858B2 (en) | 2015-12-31 | 2022-02-01 | Huawei Technologies Co., Ltd. | Software-defined data center, and deployment method for service cluster therein |
| CN115766289A (en) * | 2022-12-23 | 2023-03-07 | 河南大学 | Distributed network security method facing virtual machine cluster |
| CN116192755A (en) * | 2023-04-28 | 2023-05-30 | 惠州迈腾伟业科技发展有限公司 | Congestion processing method and system based on virtual switch establishment |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108234223B (en) * | 2018-04-19 | 2021-09-07 | 郑州云海信息技术有限公司 | Safety service design method of data center integrated management system |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101765225A (en) * | 2008-12-24 | 2010-06-30 | 华为技术有限公司 | Virtual cluster management system and cluster node |
| CN102724313A (en) * | 2012-06-19 | 2012-10-10 | 招商局重庆交通科研设计院有限公司 | Clustering bridge operation safety monitoring system based on cloud computation |
| CN102843387A (en) * | 2011-06-20 | 2012-12-26 | 倪海宇 | Cloud computing safety control platform based on safety classification |
| US20140016501A1 (en) * | 2012-07-16 | 2014-01-16 | International Business Machines Corporation | Flow based overlay network |
| CN103685250A (en) * | 2013-12-04 | 2014-03-26 | 蓝盾信息安全技术股份有限公司 | Virtual machine security policy migration system and method based on SDN |
-
2014
- 2014-04-21 CN CN201410160049.3A patent/CN103973676B/en not_active Expired - Fee Related
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101765225A (en) * | 2008-12-24 | 2010-06-30 | 华为技术有限公司 | Virtual cluster management system and cluster node |
| CN102843387A (en) * | 2011-06-20 | 2012-12-26 | 倪海宇 | Cloud computing safety control platform based on safety classification |
| CN102724313A (en) * | 2012-06-19 | 2012-10-10 | 招商局重庆交通科研设计院有限公司 | Clustering bridge operation safety monitoring system based on cloud computation |
| US20140016501A1 (en) * | 2012-07-16 | 2014-01-16 | International Business Machines Corporation | Flow based overlay network |
| CN103685250A (en) * | 2013-12-04 | 2014-03-26 | 蓝盾信息安全技术股份有限公司 | Virtual machine security policy migration system and method based on SDN |
Cited By (72)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105337945A (en) * | 2014-08-12 | 2016-02-17 | 中兴通讯股份有限公司 | Cloud security maintenance processing method and device |
| CN105337952A (en) * | 2014-08-14 | 2016-02-17 | 杭州华三通信技术有限公司 | Method and device used for inhibiting host computer from frequently migrating |
| CN105337952B (en) * | 2014-08-14 | 2018-07-20 | 新华三技术有限公司 | Method and apparatus for inhibiting host frequent migration |
| US10158705B2 (en) | 2014-08-14 | 2018-12-18 | Hewlett Packard Enterprise Development Lp | Migration of hosts |
| WO2016023518A1 (en) * | 2014-08-14 | 2016-02-18 | Hangzhou H3C Technologies Co., Ltd. | Migration of hosts |
| CN104158910B (en) * | 2014-08-29 | 2017-12-15 | 金石易诚(北京)科技有限公司 | A kind of high in the clouds Web applications automatically dispose system |
| CN104158910A (en) * | 2014-08-29 | 2014-11-19 | 金石易诚(北京)科技有限公司 | Automatic deployment system for cloud Web application |
| CN104243205A (en) * | 2014-09-03 | 2014-12-24 | 杭州华三通信技术有限公司 | Message processing method and device used during virtual switch fault |
| CN104243205B (en) * | 2014-09-03 | 2019-01-25 | 新华三技术有限公司 | Message processing method and equipment when a kind of virtual switch failure |
| CN104270260A (en) * | 2014-09-19 | 2015-01-07 | 杭州华三通信技术有限公司 | Method and device for elastic expansion of scale of SDN controller cluster |
| CN104270260B (en) * | 2014-09-19 | 2017-12-08 | 新华三技术有限公司 | A kind of method and device of the resilient expansion of SDN controllers cluster scale |
| CN105592016A (en) * | 2014-10-29 | 2016-05-18 | 国家电网公司 | Virtual machine protection device of power information system in cloud environment |
| CN105592016B (en) * | 2014-10-29 | 2019-04-30 | 国家电网公司 | The protective device of virtual machine under a kind of cloud environment of power information system |
| CN104407911B (en) * | 2014-10-31 | 2018-03-20 | 新华三技术有限公司 | Virtual machine migration method and device |
| CN104407911A (en) * | 2014-10-31 | 2015-03-11 | 杭州华三通信技术有限公司 | Virtual machine migration method and device |
| CN105681371A (en) * | 2014-11-18 | 2016-06-15 | 中兴通讯股份有限公司 | Synchronization method and device for network device virtual machines |
| US10873527B2 (en) | 2015-02-03 | 2020-12-22 | Huawei Technologies Co., Ltd. | Link protection method in SDN, switching device, and network controller |
| CN105991315A (en) * | 2015-02-03 | 2016-10-05 | 华为技术有限公司 | Link protection method applied to SDN (software defined network), switching device and network controller |
| CN104618379A (en) * | 2015-02-04 | 2015-05-13 | 北京天地互连信息技术有限公司 | IDC service scene-oriented security service arranging method and network structure |
| CN104753951A (en) * | 2015-04-13 | 2015-07-01 | 成都双奥阳科技有限公司 | Network security traffic platform based on software definition |
| CN106161548B (en) * | 2015-04-15 | 2019-01-04 | 先智云端数据股份有限公司 | For database, application program and the system for storing safety in software defined network |
| CN106161548A (en) * | 2015-04-15 | 2016-11-23 | 先智云端数据股份有限公司 | Data base, application program and the system of storage safety in software defined network |
| CN104852840B (en) * | 2015-05-28 | 2018-08-24 | 新华三技术有限公司 | A kind of method and device exchanged visits between control virtual machine |
| CN104852840A (en) * | 2015-05-28 | 2015-08-19 | 杭州华三通信技术有限公司 | Method and device for controlling mutual access between virtual machines |
| CN105072162A (en) * | 2015-07-21 | 2015-11-18 | 哈尔滨理工大学 | Large-scale network game framework system and method based on SDN and cloud platform |
| CN105049450A (en) * | 2015-08-24 | 2015-11-11 | 北京汉柏科技有限公司 | Cloud security system based on virtual network environment and deployment framework of cloud security system |
| CN105262611B (en) * | 2015-09-07 | 2018-12-21 | 中国电子科技网络信息安全有限公司 | Virtual machine tactical management device and management method based on open-stack |
| CN105262611A (en) * | 2015-09-07 | 2016-01-20 | 中国电子科技网络信息安全有限公司 | Virtual machine policy management device and management method based on open-stack |
| CN105429974A (en) * | 2015-11-10 | 2016-03-23 | 南京邮电大学 | SDN-oriented intrusion defense system and method |
| CN105429974B (en) * | 2015-11-10 | 2018-09-11 | 南京邮电大学 | A kind of intrusion prevention system and method towards SDN |
| CN105376246A (en) * | 2015-11-30 | 2016-03-02 | 中国电子科技网络信息安全有限公司 | Adaptive generation management system and method of security strategy based on SDN |
| CN105376246B (en) * | 2015-11-30 | 2018-08-03 | 中国电子科技网络信息安全有限公司 | A kind of security strategy adaptive generation management system and method based on SDN |
| CN106936609B (en) * | 2015-12-29 | 2020-10-16 | 南京中兴新软件有限责任公司 | Method for controlling forwarding equipment cluster in software defined network and controller |
| CN106936609A (en) * | 2015-12-29 | 2017-07-07 | 中兴通讯股份有限公司 | The method and controller of forwarding unit cluster are controlled in a kind of software defined network |
| CN108293009B (en) * | 2015-12-31 | 2021-05-18 | 华为技术有限公司 | Software defined data center and scheduling method of service cluster in software defined data center |
| US11237858B2 (en) | 2015-12-31 | 2022-02-01 | Huawei Technologies Co., Ltd. | Software-defined data center, and deployment method for service cluster therein |
| CN108293009A (en) * | 2015-12-31 | 2018-07-17 | 华为技术有限公司 | Scheduling and the flux monitoring method of a kind of software definition data center and service cluster therein |
| US10846121B2 (en) * | 2016-03-18 | 2020-11-24 | Telefonaktiebolaget Lm Ericsson (Publ) | Using nano-services to secure multi-tenant networking in datacenters |
| US20190079789A1 (en) * | 2016-03-18 | 2019-03-14 | Telefonaktiebolaget Lm Ericsson (Publ) | Using nano-services to secure multi-tenant networking in datacenters |
| CN105959275A (en) * | 2016-04-26 | 2016-09-21 | 北京启明星辰信息安全技术有限公司 | Security integrated machine system |
| CN109196474A (en) * | 2016-05-17 | 2019-01-11 | 微软技术许可有限责任公司 | Distributed operation control in computing system |
| CN107515559A (en) * | 2016-06-17 | 2017-12-26 | 苗玉水 | The execution system of adaptive full-automatic foreign language text cloud computing cluster remote control |
| CN106330537A (en) * | 2016-08-22 | 2017-01-11 | 刘昱 | Control plane management apparatus and method for SDN network device |
| CN107786495A (en) * | 2016-08-24 | 2018-03-09 | 北京计算机技术及应用研究所 | Cloud environment network security protection system |
| CN107888438A (en) * | 2016-09-29 | 2018-04-06 | 上海天旦网络科技发展有限公司 | A kind of automatic sensing based on flow table technology and the method and system for adapting to cloud environment change |
| CN108259545B (en) * | 2017-01-13 | 2021-04-27 | 新华三技术有限公司 | Port security policy diffusion method and device |
| CN108259545A (en) * | 2017-01-13 | 2018-07-06 | 新华三技术有限公司 | Port security strategy method of diffusion and device |
| CN106911723B (en) * | 2017-04-26 | 2020-03-03 | 北京启明星辰信息安全技术有限公司 | Flow safety processing method and safety virtualization system |
| CN106911723A (en) * | 2017-04-26 | 2017-06-30 | 北京启明星辰信息安全技术有限公司 | Traffic security processing method and safety virtualization system |
| CN107346262B (en) * | 2017-06-06 | 2020-12-15 | 华为技术有限公司 | Task migration method and controller |
| CN107506640A (en) * | 2017-06-28 | 2017-12-22 | 青岛以太科技股份有限公司 | Virtual machine guard system |
| CN107171979A (en) * | 2017-06-30 | 2017-09-15 | 广州市品高软件股份有限公司 | Vulnerability scanning method and system based on cloud computing and SDN |
| CN107769961A (en) * | 2017-09-14 | 2018-03-06 | 广州西麦科技股份有限公司 | A kind of SDN controllers cluster and network system |
| CN108200073A (en) * | 2018-01-12 | 2018-06-22 | 阳光保险集团股份有限公司 | A kind of sensitive data safety system |
| CN108200073B (en) * | 2018-01-12 | 2021-04-09 | 阳光保险集团股份有限公司 | Sensitive data safety protection system |
| WO2019205282A1 (en) * | 2018-04-27 | 2019-10-31 | 广州西麦科技股份有限公司 | Sdn-based network management control method, device, and computer readable storage medium |
| CN109150648A (en) * | 2018-05-30 | 2019-01-04 | 太仓鸿策拓达科技咨询有限公司 | Self-test network safety system |
| CN109246100A (en) * | 2018-09-07 | 2019-01-18 | 刘洋 | A kind of software defined network safely performs method |
| CN109246152A (en) * | 2018-11-06 | 2019-01-18 | 北京华顺信安科技有限公司 | A kind of a wide range of general vulnerability scanning method and system |
| CN109981493A (en) * | 2019-04-09 | 2019-07-05 | 苏州浪潮智能科技有限公司 | A kind of method and apparatus for configuring virtual machine network |
| CN109981493B (en) * | 2019-04-09 | 2020-05-01 | 苏州浪潮智能科技有限公司 | Method and device for configuring virtual machine network |
| CN111865514A (en) * | 2019-04-26 | 2020-10-30 | 瞻博网络公司 | Control plane isolation for software defined network routing services |
| CN111865514B (en) * | 2019-04-26 | 2023-07-21 | 瞻博网络公司 | Control plane isolation for software defined network routing services |
| CN111026525A (en) * | 2019-10-30 | 2020-04-17 | 哈尔滨安天科技集团股份有限公司 | Scheduling method and device of cloud platform virtual diversion technology |
| CN111031091A (en) * | 2019-10-30 | 2020-04-17 | 哈尔滨安天科技集团股份有限公司 | Automatic adaptation method and device for cloud platform virtual diversion technology |
| CN111031091B (en) * | 2019-10-30 | 2022-10-21 | 安天科技集团股份有限公司 | Automatic adaptation method and device for cloud platform virtual diversion technology |
| CN111026525B (en) * | 2019-10-30 | 2024-02-13 | 安天科技集团股份有限公司 | Scheduling method and device for cloud platform virtual diversion technology |
| CN111224821A (en) * | 2019-12-31 | 2020-06-02 | 北京山石网科信息技术有限公司 | Security service deployment system, method and device |
| CN113204774A (en) * | 2021-04-29 | 2021-08-03 | 北京连山科技股份有限公司 | Rapid data security protection algorithm based on multi-cloud environment |
| CN115766289A (en) * | 2022-12-23 | 2023-03-07 | 河南大学 | Distributed network security method facing virtual machine cluster |
| CN116192755A (en) * | 2023-04-28 | 2023-05-30 | 惠州迈腾伟业科技发展有限公司 | Congestion processing method and system based on virtual switch establishment |
| CN116192755B (en) * | 2023-04-28 | 2023-08-11 | 惠州迈腾伟业科技发展有限公司 | Congestion processing method and system based on virtual switch establishment |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103973676B (en) | 2017-05-24 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103973676A (en) | Cloud computing safety protection system and method based on SDN | |
| Dietz et al. | Integrating digital twin security simulations in the security operations center | |
| CN112769825B (en) | Network security guarantee method, system and computer storage medium | |
| CN103973481A (en) | System and method for auditing cloud computing data center based on SDN | |
| CN104023034B (en) | Security defensive system and defensive method based on software-defined network | |
| ES2941337T3 (en) | Software-defined automation system and architecture | |
| CN104506507B (en) | A kind of sweet net safety protective system and method for SDN | |
| JP6568654B2 (en) | System and method for identifying compromised devices in an industrial control system | |
| US10812523B2 (en) | Adaptive union file system based protection of services | |
| CN112887268B (en) | Network security guarantee method and system based on comprehensive detection and identification | |
| KR102088308B1 (en) | Cloud security analysing apparatus, apparatus and method for management of security policy based on nsfv | |
| CN104038466A (en) | Intrusion detection system, method and device for cloud calculating environment | |
| CN108123919A (en) | The monitoring guard system and method for network | |
| CN104866407A (en) | Monitoring system and method in virtual machine environment | |
| Kim et al. | Monitoring and detecting abnormal behavior in mobile cloud infrastructure | |
| CN104468504A (en) | Monitoring method and system for virtualized network dynamic information security | |
| Bondan et al. | Anomaly detection framework for SFC integrity in NFV environments | |
| CN105704087A (en) | Device for realizing network security management based on virtualization and management method | |
| Tanaka et al. | IoT system security issues and solution approaches | |
| KR101454838B1 (en) | Cloud enterprise security management system for interworking of Hypervisor-based virtual network and host intrusion prevention system | |
| Dayabhai et al. | The role of virtualization in a smart-grid enabled substation automation system | |
| Palmisano et al. | D-STREAMON—NFV-capable distributed framework for network monitoring | |
| Zhang et al. | A virtualization-based security architecture for industrial control systems | |
| Lau et al. | Securing supervisory control and data acquisition control systems | |
| Sadiku et al. | Software-defined security |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20210322 Address after: No.16, Tianhui Road, Tianhe District, Guangzhou, Guangdong 510000 Patentee after: BLUEDON INFORMATION SECURITY TECHNOLOGY Corp.,Ltd. Address before: 510665 20-21 / F, building a, information port, No.16 Keyun Road, Tianhe District, Guangzhou City, Guangdong Province Patentee before: BLUEDON INFORMATION SECURITY TECHNOLOGY Co.,Ltd. |
|
| TR01 | Transfer of patent right | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20170524 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |